1. Technical Field
The present disclosure relates to email and, more specifically, to a method and system for isolating suspicious email.
2. Description of the Related Art
Today computers are used by businesses, institutions and individuals to assist in the performance of important tasks. Computers may also be used to store and organize sensitive information. For these reasons and others, users have come to rely heavily on the proper functioning of computer applications and the safe keeping of sensitive information. Even a temporary disruption of functionality or a brief exposure of sensitive information could bring costly consequences to a business, institution or user relying on computer resources.
Malicious programs represent a large and growing threat to the proper function of computer systems and their ability to keep sensitive information confidential. Malicious programs are computer programs that are specifically intended to disrupt computer systems and computer networks. The threat posed by malicious programs ranges from a simple nuisance to a severe disruption of computer and/or network function, loss or compromise of data, and/or destruction of computer hardware.
Popular forms of malicious programs may include computer viruses, worms, and Trojan horses. A computer virus is a malicious program that may propagate by infecting other computer programs by embedding a copy of itself into the other computer program. Once infected, computer viruses may be capable of delivering a malicious payload. Malicious payloads may perform a destructive act such as, for example, the deletion of files. A Trojan horse is a malicious program that is disguised as a legitimate program, that once it is run, may be able to circumvent security measures and open the door to a subsequent malicious attack. A worm is a malicious program that propagates over a computer network by sending off multiple copies of itself as it travels.
Malicious programs may use one or more of multiple channels for infecting computers and/or propagating. For example, a computer virus may be transferred from one computer to another by transferring an infected file by floppy disk, computer network and/or email. Malicious programs may be transferred by email either as a binary file Such as, for example an executable file, an email attachment and/or through the use of, for example, HTML instructions (tags) that may be embedded in the body of the email message. In addition, malicious programs can be manifested through links or attachments within Instant Messaging (IM) communications.
Many security measures have been developed to combat the threat of malicious programs. Examples of popular security measures include antivirus programs, firewalls and intrusion detection systems (IDSs). An antivirus program is a computer program that scans files and memory located on a computer for traces of viruses. Antivirus programs may scan for the presence of a virus signature. A virus signature is a pattern that can be observed in a file that has been infected with a known virus. Each known virus may have a signature to identify that particular virus. Antivirus programs that scan for virus signatures may continuously update a database of virus signatures so known viruses may be properly identified. Signature databases may then be kept up to date by adding new signatures for new viruses as they are discovered.
Antivirus programs may use heuristic scanners to detect a malicious program without relying on virus signatures. Heuristic virus scanners may be able to intelligently estimate whether computer code has been infected by a malicious program. This technique relies on programmed logic, called heuristics, to make its determinations. While a heuristic virus scan has the potential to protect against viruses that are new and unknown, the efficacy of these scanners are constantly improved by updated heuristics that should be obtained and incorporated into the heuristic virus scanners in much the same way that new virus signatures should be obtained when using the virus signature scan technique. Additionally, heuristic virus scanners may run the risk of categorizing non-malicious programs as malicious and/or categorizing malicious programs as non-malicious.
A firewall is an application or a dedicated gateway server designed to protect a secure network from an insecure network. A firewall intercepts communication traffic between the secure network and the insecure network and verifies that the traffic conforms to a predetermined security policy. Traffic that conforms to the security policy may be allowed to pass the firewall while traffic that violates the security policy may be blocked.
There are multiple types of firewalls. Some firewalls may verify that traffic conforms to the security policy by inspecting one or more portions of the header fields, such as, for example, source and destination IP addresses, ports of communication, etc. Here the security policy may contain rules pertaining to what header field characteristics are allowable and/or not allowable. These firewalls may reduce network performance by slowing down the flow of traffic as traffic is inspected. Other firewalls may allow traffic to pass without inspection where the communication has been initiated within the protected network.
An intrusion detection system (IDS) is generally implemented on a computer network to monitor the computer network and detect anomalous traffic that can be indicative of a potential problem, for example a worm infection. IDSs may be either active or passive. Active IDSs may take affirmative measures to remedy a potential infection when found while passive IDSs may be used to alert a network administrator of the potential problem. By searching for anomalous traffic, some IDSs may be able to identify previously unknown malicious programs without the help of a virus signature. Other IDSs may use signature databases to identify patterns of behavior that may be indicative of known malicious program infections.
While many of the above described systems provide some degree of protection from malicious programs, a degree of caution on the part of users can often provide a high degree of protection against malicious programs. For example, users wishing to avoid infection from malicious programs may exercise caution when executing a program that has been received as an email attachment and/or when opening an email that has embedded HTML tags. While many emails that have been automatically generated to propagate malicious programs, for example worms, may be readily identifiable as such, increasingly sophisticated worms are able to generate emails that appear to be authentic. For example, an email associated with a worm might appear to have originated from a contact known to the user and/or have a subject line that would appear familiar and/or not out of place to the user.
As malicious programs use more advanced tactics to generate more realistic emails, it may be increasingly difficult to determine whether an email is associated with a malicious program or whether the email is authentic. The user may be faced with the limited options of either opening the email and potentially exposing the user's computer system and computer network to a malicious program, or to delete the email and risk loosing an important communication.